Skip to content

Customizable set of JwtClaimValidators for OAuth Resource Server #13249

New issue
New issue
Open
Open
Customizable set of JwtClaimValidators for OAuth Resource Server#13249
Labels
in: configAn issue in spring-security-configtype: enhancementA general enhancement
@romangr

Description

@romangr
romangr
opened on May 31, 2023

Expected Behavior

I expect that additional JwtClaimValidator instances should be easily configured and injected for token processing. It should not require disabling auto-configuration logic that is very helpful in many aspects. Possible solution is to use declared beans of JwtClaimValidator type.

Current Behavior

Currently there is no way to add custom validators without redefining the whole OAuth2ResourceServerJwtConfiguration because validators are not injected but created inside the configuration.

Context

I'm implementing a starter library for microservices system. I created my own auto configuration class and it's quite small because I mostly rely on the OAuth2ResourceServerJwtConfiguration. But when I need to add a custom JWT claims validator the only way to do it is to redefine the whole standard configuration. It's not convenient because the standard configuration contains must have validators like issuer validator and some other logic that is useful (e.g. resolving the source of public key for token validation). I think there is much more room for errors in this approach then if we just provide a way to add custom validators without touching the default configuration.

What I have now is just the same configuration class as in the Spring Security library but I inject all the beans of JwtClaimValidator type to the field and then add all those beans to the list of validators

@Configuration(proxyBeanMethods = false)
@ConditionalOnMissingBean(JwtDecoder.class)
static class JwtDecoderConfiguration {

    private final OAuth2ResourceServerProperties properties;
    private final List<JwtClaimValidator<?>> claimValidators;

    JwtDecoderConfiguration(OAuth2ResourceServerProperties properties, List<JwtClaimValidator<?>> claimValidators) {
      this.properties = properties;
      this.claimValidators = claimValidators;
    }

    private OAuth2TokenValidator<Jwt> getValidators(Supplier<OAuth2TokenValidator<Jwt>> defaultValidator) {
      OAuth2TokenValidator<Jwt> defaultValidators = defaultValidator.get();
      List<String> audiences = this.properties.getAudiences();
      List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
      validators.add(defaultValidators);
      validators.addAll(claimValidators);
      if (!CollectionUtils.isEmpty(audiences)) {
        validators.add(new JwtClaimValidator<List<String>>(JwtClaimNames.AUD,
          (aud) -> aud != null && !Collections.disjoint(aud, audiences)));
      }
      return new DelegatingOAuth2TokenValidator<>(validators);
    }
   
    // All code from OAuth2ResourceServerJwtConfiguration
    ...
  }

It is a working solution but in my opinion it'd be much more convenient and less error prone if it worked this way out of the box.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: configAn issue in spring-security-configtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions